Smartphone Used To Scan Data From Chip-Enabled Credit Cards 236
An anonymous reader sends this news from the CBC:
"Using a Samsung Galaxy SIII — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card. And it could be done through wallets, pockets and purses. ... Although the NFC antennas in current smartphones need to be very close to a card in order to work — no farther than 10 cm — that could change with the next generation of Android smartphones. Legary said the Samsung Galaxy S4, set to go on sale this spring, might have a much more capable NFC antenna, which could not only read credit cards from a greater distance, but could also be able to read the chips embedded in enhanced driving licenses and passports."
Forget tinfoil hats... (Score:2, Insightful)
...what we need is tinfoil wallets!
(all joking aside, when I got my RFID enhanced driver's license I went out and got an RFID shielded wallet).
Did anybody not see this coming? (Score:5, Insightful)
I've always thought those tap-to-pay things were really a bad idea from a security perspective, as your card can be used without you even knowing it and without any form of authentication.
The fact that it will broadcast all of that information to just about anything tells me it's something which retailers and credit card companies like -- but it's mostly bad for security, but great for convenience.
I may need to call my bank and see if I can get that disabled on my cards. I don't use it, don't want it, and seeing this, I trust it even less than I ever have. I'd prefer it didn't even respond to the NFC terminals.
I've always thought this was massively insecure, and it looks like I was right.
Re:apply tags (Score:3, Insightful)
A solution looking for a problem. I love how we invent all this crap and then have to invent more crap to make the crap barely usable. If you have to put the card in a faraday wallet then how is it any better than...say...SWIPING IT?
We seem to be able to introduce NFC, but we can't implement chip and pin. I can does security! Herp de derp...
Re:Sensationalist.... (Score:5, Insightful)
Yes, but this provides opportunities for people you don't hand your card to to be able to get the same information.
So anybody on the street with a phone potentially has access to your information. And if some schmuck walked up to me on the street and asked me for my card number, name, and expiry date I wouldn't give it to them -- this makes it possible for people who you have no intention of giving this information to able to get it without you even knowing.
If NFC is so horribly broken that any random person with a free app from Google Play can access your credit card information without you knowing it, it's defective from the get go. Something I've always believed anyway. It's goal is to be convenient and spur people to use this as a payment option; it has never been designed with security and privacy in mind.
Re:Sensationalist.... (Score:4, Insightful)
Surprised isn't the right word. Appalled, sure. Surprised? No.
Then again, people still fall for spam, phishing, and those fake tech support calls from "the Windows provider" which people fall for.
Critical reasoning is a surprisingly uncommon thing. It depresses me, but it doesn't surprise me.
Re:Almost useless (Score:5, Insightful)
Tell that to the criminals who were spending money in gas stations and restaurants in central California using a clone of my wife's card a couple of years ago.
Re:Almost useless (Score:3, Insightful)
Re:Almost useless (Score:2, Insightful)
In the UK (and probably other places) chip and PIN was brought in by the banks so they could push liability onto the customer. They argue that because chip and PIN is "secure" then you MUST have given your PIN to a third party, ending their liability.